github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-16 04:17:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: move /pkg/meta/signatures under /pkg/extensions/imagetrust (#1712)

Browse Source 
- the size of the binary-minimal becomes 32MB
- "signatures" package is renamed into "imagetrust" and moved under extensions
- if the binary is not built using "imagetrust" tag then the signatures verification will
not be performed

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
This commit is contained in:
Andreea Lupu
2023-08-19 08:52:03 +03:00
committed by GitHub
parent faf702f9c2
commit cacf54e8cb
18 changed files with 218 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/storage/common/common.go
+6 -3
View File
@@ -17,7 +17,6 @@ import (
ispec "github.com/opencontainers/image-spec/specs-go/v1"
oras "github.com/oras-project/artifacts-spec/specs-go/v1"
"github.com/rs/zerolog"
"github.com/sigstore/cosign/v2/pkg/oci/remote"
zerr "zotregistry.io/zot/errors"
zcommon "zotregistry.io/zot/pkg/common"
@@ -26,7 +25,11 @@ import (
storageTypes "zotregistry.io/zot/pkg/storage/types"
)
const manifestWithEmptyLayersErrMsg = "layers: Array must have at least 1 items"
const (
manifestWithEmptyLayersErrMsg = "layers: Array must have at least 1 items"
cosignSignatureTagSuffix = "sig"
)
func GetTagsByIndex(index ispec.Index) []string {
tags := make([]string, 0)
@@ -559,7 +562,7 @@ func IsSignature(descriptor ispec.Descriptor) bool {
switch descriptor.MediaType {
case ispec.MediaTypeImageManifest:
// is cosgin signature
if strings.HasPrefix(tag, "sha256-") && strings.HasSuffix(tag, remote.SignatureTagSuffix) {
if strings.HasPrefix(tag, "sha256-") && strings.HasSuffix(tag, cosignSignatureTagSuffix) {
return true
}
pkg/storage/local/local.go
+9 -5
View File
@@ -26,7 +26,6 @@ import (
"github.com/opencontainers/umoci/oci/casext"
oras "github.com/oras-project/artifacts-spec/specs-go/v1"
"github.com/rs/zerolog"
"github.com/sigstore/cosign/v2/pkg/oci/remote"
zerr "zotregistry.io/zot/errors"
zcommon "zotregistry.io/zot/pkg/common"
@@ -41,6 +40,11 @@ import (
"zotregistry.io/zot/pkg/test/inject"
)
const (
cosignSignatureTagSuffix = "sig"
SBOMTagSuffix = "sbom"
)
// ImageStoreLocal provides the image storage operations.
type ImageStoreLocal struct {
rootDir string
@@ -1547,8 +1551,8 @@ func (is *ImageStoreLocal) garbageCollect(dir string, repo string) error {
tag, ok := desc.Annotations[ispec.AnnotationRefName]
if ok {
// gather cosign references
if strings.HasPrefix(tag, "sha256-") && (strings.HasSuffix(tag, remote.SignatureTagSuffix) ||
strings.HasSuffix(tag, remote.SBOMTagSuffix)) {
if strings.HasPrefix(tag, "sha256-") && (strings.HasSuffix(tag, cosignSignatureTagSuffix) ||
strings.HasSuffix(tag, SBOMTagSuffix)) {
cosignDescriptors = append(cosignDescriptors, desc)
continue
@@ -1680,13 +1684,13 @@ func gcCosignReferences(imgStore *ImageStoreLocal, oci casext.Engine, index *isp
// check if we can find the manifest which the reference points to
for _, desc := range index.Manifests {
// signature
subject := fmt.Sprintf("sha256-%s.%s", desc.Digest.Encoded(), remote.SignatureTagSuffix)
subject := fmt.Sprintf("sha256-%s.%s", desc.Digest.Encoded(), cosignSignatureTagSuffix)
if subject == cosignDesc.Annotations[ispec.AnnotationRefName] {
foundSubject = true
}
// sbom
subject = fmt.Sprintf("sha256-%s.%s", desc.Digest.Encoded(), remote.SBOMTagSuffix)
subject = fmt.Sprintf("sha256-%s.%s", desc.Digest.Encoded(), SBOMTagSuffix)
if subject == cosignDesc.Annotations[ispec.AnnotationRefName] {
foundSubject = true
}